Wikimedia Mediawiki

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in Wikimedia Mediawiki.

EOL Dates

Ensure that you are using a supported version of Wikimedia Mediawiki. Here are some end of life, and end of support dates for Wikimedia Mediawiki.

Release	EOL Date	Status
1.45	December 31, 2026	EOL This Year Wikimedia Mediawiki 1.45 will become EOL this year, in December 2026.
1.44	July 31, 2026	EOL This Year Wikimedia Mediawiki 1.44 will become EOL this year, in July 2026.
1.43	December 31, 2027	Active Wikimedia Mediawiki 1.43 will become EOL next year, in December 2027.
1.42	June 30, 2025	EOL Wikimedia Mediawiki 1.42 became EOL in 2025.
1.41	December 31, 2024	EOL Wikimedia Mediawiki 1.41 became EOL in 2024.
1.40	June 28, 2024	EOL Wikimedia Mediawiki 1.40 became EOL in 2024.
1.39	December 31, 2025	EOL Wikimedia Mediawiki 1.39 became EOL in 2025.
1.38	June 30, 2023	EOL Wikimedia Mediawiki 1.38 became EOL in 2023.
1.37	November 30, 2022	EOL Wikimedia Mediawiki 1.37 became EOL in 2022.
1.36	June 3, 2022	EOL Wikimedia Mediawiki 1.36 became EOL in 2022.
1.35	December 21, 2023	EOL Wikimedia Mediawiki 1.35 became EOL in 2023.
1.34	November 30, 2020	EOL Wikimedia Mediawiki 1.34 became EOL in 2020.
1.33	June 30, 2020	EOL Wikimedia Mediawiki 1.33 became EOL in 2020.
1.32	January 24, 2020	EOL Wikimedia Mediawiki 1.32 became EOL in 2020.
1.31	September 30, 2021	EOL Wikimedia Mediawiki 1.31 became EOL in 2021.

By the Year

In 2026 there have been 38 vulnerabilities in Wikimedia Mediawiki with an average score of 5.8 out of ten. Last year, in 2025 Mediawiki had 20 security vulnerabilities published. That is, 18 more vulnerabilities have already been reported in 2026 as compared to last year. Last year, the average CVE base score was greater by 2.97

Year	Vulnerabilities	Average Score
2026	38	5.83
2025	20	8.80
2024	2	6.10
2023	2	5.70
2022	3	4.83
2021	0	0.00
2020	2	0.00
2019	1	0.00

It may take a day or so for new Mediawiki vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Wikimedia Mediawiki Security Vulnerabilities

MediaWiki XSS via mediawiki.JqueryMsg.Js before 1.45.1
CVE-2025-67481 - February 03, 2026

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.JqueryMsg/mediawiki.JqueryMsg.Js. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1.

XSS

XSS in MediaWiki Page.Preview.Js (pre1.43.6, 1.44.3, 1.45.1)
CVE-2025-67483 - February 03, 2026

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Page.Preview.Js. This issue affects MediaWiki: from * before 1.43.6, 1.44.3, 1.45.1.

XSS

MediaWiki XML API Exec in Pre-1.39.16, 1.43.6, 1.44.3 & 1.45.1
CVE-2025-67484 - February 03, 2026

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Api/ApiFormatXml.Php. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1.

Improper Input Validation

MediaWiki API Query Revisions Base RCE before 1.39.16/1.43.6/1.44.3/1.45.1
CVE-2025-67480 - February 03, 2026

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Api/ApiQueryRevisionsBase.Php. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1.

Improper Input Validation

MediaWiki XSS in CommentParser.Php before 1.39.16 (fixed 1.39.16)
CVE-2025-67475 - February 03, 2026

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/CommentFormatter/CommentParser.Php. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1.

XSS

MediaWiki <1.44.3/1.45.1: ImportableOldRevisionImporter.PHP RCE
CVE-2025-67476 - February 03, 2026

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Import/ImportableOldRevisionImporter.Php. This issue affects MediaWiki: from * before 1.44.3, 1.45.1.

MediaWiki XSS in ApiSandboxLayout.Js before 1.44.3/1.45.1
CVE-2025-67477 - February 03, 2026

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Special.Apisandbox/ApiSandboxLayout.Js. This issue affects MediaWiki: from * before 1.44.3, 1.45.1.

XSS

MediaWiki <=1.39.13, 1.43.3, 1.44.0 ParserSanitizer RCE
CVE-2025-67479 - February 03, 2026

Vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation Cite. This vulnerability is associated with program files includes/Parser/CoreParserFunctions.Php, includes/Parser/Sanitizer.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1; Cite: from * before 1.39.14, 1.43.4, 1.44.1.

MediaWiki XSS in mediawiki.Language.Js (before 1.39.15, 1.43.5, 1.44.2)
CVE-2025-11261 - February 03, 2026

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Language/mediawiki.Language.Js. This issue affects MediaWiki: from * before 1.39.15, 1.43.5, 1.44.2.

XSS

MediaWiki XSS in CodexTablePager.PHP before 1.44.1 (VWMK)
CVE-2025-61645 - February 03, 2026

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/pager/CodexTablePager.Php. This issue affects MediaWiki: from * before 1.44.1.

XSS

MediaWiki EnhancedChangesList.PHP RCE before 1.44.1
CVE-2025-61646 - February 03, 2026

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/RecentChanges/EnhancedChangesList.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1.

Directory traversal

MediaWiki XSS via WatchlistTopSectionWidget.js
CVE-2025-61644 - February 02, 2026

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Rcfilters/ui/WatchlistTopSectionWidget.Js. This issue affects MediaWiki: from * before > fb856ce9cf121e046305116852cca4899ecb48ca.

XSS

MediaWiki XSS via Edit.Preview.Js (pre1.39.14/1.43.4/1.44.1)
CVE-2025-61637 - February 02, 2026

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Action/mediawiki.Action.Edit.Preview.Js, resources/src/mediawiki.Page.Preview.Js. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1.

XSS

MediaWiki/Parsoid XSS Sanitizer.Php (1.39.14,1.43.4,1.44.1; 0.16.6,0.20.4,0.21.1)
CVE-2025-61638 - February 02, 2026

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation Parsoid. This vulnerability is associated with program files includes/parser/Sanitizer.Php, src/Core/Sanitizer.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1; Parsoid: from * before 0.16.6, 0.20.4, 0.21.1.

XSS

MediaWiki ManualLogEntry PHP info leak before 1.39.14/1.43.4/1.44.1
CVE-2025-61639 - February 02, 2026

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/logging/ManualLogEntry.Php, includes/recentchanges/RecentChangeFactory.Php, includes/recentchanges/RecentChangeStore.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1.

Information Disclosure

MediaWiki XSS in Rcfilters RclToOrFromWidget.Js (pre1.39.14/1.43.4/1.44.1)
CVE-2025-61640 - February 02, 2026

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Rcfilters/ui/RclToOrFromWidget.Js. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1.

XSS

MediaWiki 1.44 < 1.44.1 AllPages API Vulnerability (Traversal)
CVE-2025-61641 - February 02, 2026

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/api/ApiQueryAllPages.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1.

Directory traversal

MediaWiki XSS via CodexHTMLForm.PHP before 1.39.14/1.43.4/1.44.1
CVE-2025-61642 - February 02, 2026

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/CodexHTMLForm.Php, includes/htmlform/fields/HTMLButtonField.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1.

XSS

MediaWiki RCFeedNotifier PHP RCE <1.39.14, 1.43.4, 1.44.1
CVE-2025-61643 - February 02, 2026

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/recentchanges/RecentChangeRCFeedNotifier.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1.

MediaWiki PageHTMLHandler PHP RCE before 1.39.14/1.43.4/1.44.1
CVE-2025-61634 - February 02, 2026

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Rest/Handler/PageHTMLHandler.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1.

XSS in MediaWiki <1.39.14, 1.43.4, 1.44.1 via HTMLButtonField.php
CVE-2025-61636 - February 02, 2026

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/fields/HTMLButtonField.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1.

XSS

MediaWiki 1.42+ BlockListPager.Php Vulnerability
CVE-2025-6589 - February 02, 2026

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/specials/pagers/BlockListPager.Php. This issue affects MediaWiki: >= 1.42.0.

Directory traversal

MediaWiki <1.44.0 Unauthorized Info Leak via HTMLUserTextField
CVE-2025-6590 - February 02, 2026

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/fields/HTMLUserTextField.Php. This issue affects MediaWiki: from * through 1.39.12, 1.42.76 1.43.1, 1.44.0.

Information Disclosure

MediaWiki ApiFeedContributions.php Vulnerability pre-1.39.13/1.42.7/1.44.0
CVE-2025-6591 - February 02, 2026

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/api/ApiFeedContributions.Php. This issue affects MediaWiki: from * before 1.39.13, 1.42.7 1.43.2, 1.44.0.

XSS

MediaWiki User.Php Path Traversal 1.27.01.39.13, 1.42.71.44.0
CVE-2025-6593 - February 02, 2026

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/user/User.Php. This issue affects MediaWiki: from 1.27.0 before 1.39.13, 1.42.7 1.43.2, 1.44.0.

Information Disclosure

MediaWiki XSS via ApiSandbox.Js <=1.39.13,1.42.7,1.43.2,1.44.0
CVE-2025-6594 4.7 - Medium - February 02, 2026

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Special.Apisandbox/ApiSandbox.Js. This issue affects MediaWiki: from 1.27.0 before 1.39.13, 1.42.7 1.43.2, 1.44.0.

XSS

MediaWiki AuthManager PHP RCE before 1.39.13, 1.42.7, 1.43.2, 1.44.0
CVE-2025-6597 - February 02, 2026

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/auth/AuthManager.Php. This issue affects MediaWiki: from * before 1.39.13, 1.42.7, 1.43.2, 1.44.0.

Directory traversal

MediaWiki 1.42-1.44 BlockListPager.Php & ApiQueryBlocks.Php Vulnerability
CVE-2025-6927 - February 02, 2026

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/specials/pagers/BlockListPager.Php, includes/api/ApiQueryBlocks.Php. This issue affects MediaWiki: from >= 1.42.0 before 1.39.13, 1.42.7 1.43.2, 1.44.0.

Directory traversal

Mediawiki DiscussionTools 1.43/1.44: EL Injection & Regex DoS
CVE-2025-11175 - January 30, 2026

Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') vulnerability in The Wikimedia Foundation Mediawiki - DiscussionTools Extension allows Regular Expression Exponential Blowup.This issue affects Mediawiki - DiscussionTools Extension: 1.44, 1.43.

EL Injection

Missing Auth in MediaWiki CampaignEvents Ext 1.45-1.39 Priv Abuse
CVE-2026-0817 5.3 - Medium - January 09, 2026

Missing Authorization vulnerability in Wikimedia Foundation MediaWiki - CampaignEvents extension allows Privilege Abuse.This issue affects MediaWiki - CampaignEvents extension: 1.45, 1.44, 1.43, 1.39.

AuthZ

MediaWiki ApprovedRevs 1.45-1.39 - XSS via magic word escape
CVE-2026-22712 - January 09, 2026

Improper Encoding or Escaping of Output due to magic word replacement in ParserAfterTidy vulnerability in The Wikimedia Foundation Mediawiki - ApprovedRevs Extension allows Input Data Manipulation.This issue affects Mediawiki - ApprovedRevs Extension: 1.45, 1.44, 1.43, 1.39.

Output Sanitization

MediaWiki GrowthExperiments XSS Before 1.45 Fixed
CVE-2026-22713 - January 09, 2026

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - GrowthExperiments Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - GrowthExperiments Extension: 1.45, 1.44, 1.43, 1.39.

XSS

Mediawiki - Monaco Skin XSS Vulnerability in v1.45,1.44,1.43,1.39
CVE-2026-22714 - January 08, 2026

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - Monaco Skin allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Monaco Skin: 1.45, 1.44, 1.43, 1.39.

XSS

MediaWiki Wikibase 1.45 XSS via Improper Input Neutralization
CVE-2026-22710 - January 08, 2026

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - Wikibase Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Wikibase Extension: 1.45, 1.44, 1.43, 1.39.

XSS

MediaWiki UploadWizard XSS in v1.391.45
CVE-2026-0671 6.1 - Medium - January 08, 2026

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki - UploadWizard extension allows Cross-Site Scripting (XSS).This issue affects MediaWiki - UploadWizard extension: 1.45, 1.44, 1.43, 1.39.

XSS

ProofreadPage Extension 1.39-1.45 XSS Vulnerability
CVE-2026-0670 6.1 - Medium - January 07, 2026

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki - ProofreadPage Extension allows Cross-Site Scripting (XSS).This issue affects MediaWiki - ProofreadPage Extension: 1.45, 1.44, 1.43, 1.39.

XSS

MediaWiki CSS Ext. Path Traversal (1.44) CVE20260669
CVE-2026-0669 7.5 - High - January 07, 2026

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Wikimedia Foundation MediaWiki - CSS extension allows Path Traversal.This issue affects MediaWiki - CSS extension: 1.44, 1.43, 1.39.

Directory traversal

MediaWiki VisualData Ext 1.45 ReDoS via Regex Exponential Blowup
CVE-2026-0668 5.3 - Medium - January 07, 2026

Inefficient Regular Expression Complexity vulnerability in Wikimedia Foundation MediaWiki - VisualData Extension allows Regular Expression Exponential Blowup.This issue affects MediaWiki - VisualData Extension: 1.45.

ReDoS

MediaWiki CookieConsent Extension <= v2.0.0 XSS via Improper Input Neutralization
CVE-2025-62659 - October 22, 2025

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation MediaWiki CookieConsent extension allows Cross-Site Scripting (XSS).This issue affects MediaWiki CookieConsent extension: from v0.1.0 before v2.0.0.

XSS

MediaWiki LanguageSelector Extension <=1.38 Code Injection via Improper Escaping
CVE-2025-62697 - October 20, 2025

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in The Wikimedia Foundation Mediawiki - LanguageSelector Extension allows Code Injection.This issue affects Mediawiki - LanguageSelector Extension: from master before 1.39.

Injection

MediaWiki MultiBoilerplate Ext Stored XSS Pre1.39
CVE-2025-62700 - October 20, 2025

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - MultiBoilerplate Extensionmaste allows Stored XSS.This issue affects Mediawiki - MultiBoilerplate Extensionmaste: from master before 1.39.

XSS

MediaWiki SecurePoll Ext XSS Stored Vulnerability (CVE-2025-11937)
CVE-2025-11937 - October 18, 2025

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - SecurePoll Extension allows Stored XSS.This issue affects Mediawiki - SecurePoll Extension: master.

XSS

MediaWiki CirrusSearch DoS: no throttling pre-1.43
CVE-2025-62666 - October 18, 2025

Allocation of Resources Without Limits or Throttling vulnerability in The Wikimedia Foundation Mediawiki - CirrusSearch Extension allows HTTP DoS.This issue affects Mediawiki - CirrusSearch Extension: from master before 1.43.

Allocation of Resources Without Limits or Throttling

MediaWiki GrowthExperiments Ext <=1.38 XSS
CVE-2025-62667 - October 18, 2025

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - GrowthExperiments Extension allows Stored XSS.This issue affects Mediawiki - GrowthExperiments Extension: from master before 1.39.

XSS

Incorrect Default Permissions in MediaWiki GrowthExperiments Ext (pre-1.39)
CVE-2025-62668 - October 18, 2025

Incorrect Default Permissions vulnerability in The Wikimedia Foundation Mediawiki - GrowthExperiments Extension allows Resource Leak Exposure.This issue affects Mediawiki - GrowthExperiments Extension: from master before 1.39.

Incorrect Default Permissions

MediaWiki CentralAuth Extension v<1.39 Sensitive Info Disclosure
CVE-2025-62669 - October 18, 2025

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in The Wikimedia Foundation Mediawiki - CentralAuth Extension allows Resource Leak Exposure.This issue affects Mediawiki - CentralAuth Extension: from master before 1.39.

Information Disclosure

MediaWiki FlexDiagrams Extension Stored XSS via Improper Input Neutralization
CVE-2025-62670 - October 18, 2025

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - FlexDiagrams Extension allows Stored XSS.This issue affects Mediawiki - FlexDiagrams Extension: master.

XSS

Stored XSS Mediawiki UploadWizard Extension <1.39
CVE-2025-62663 - October 18, 2025

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - UploadWizard Extension allows Stored XSS.This issue affects Mediawiki - UploadWizard Extension: from master before 1.39.

XSS

MediaWiki ImageRating Ext (1.39) - Stored XSS CVE-2025-62664
CVE-2025-62664 - October 18, 2025

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - ImageRating Extension allows Stored XSS.This issue affects Mediawiki - ImageRating Extension: from master before 1.39.

XSS

MediaWiki QuizGame 1.39-1.44 Improper Input Neutralization (XSS)
CVE-2025-62654 - October 17, 2025

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation MediaWiki QuizGame extension allows Stored XSS.This issue affects MediaWiki QuizGame extension: 1.39, 1.43, 1.44.

XSS

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Wikimedia Mediawiki or by Wikimedia? Click the Watch button to subscribe.

Wikimedia
Vendor

Wikimedia Mediawiki
Product

Wikimedia Mediawiki

Don't miss out!

EOL Dates

By the Year

Recent Wikimedia Mediawiki Security Vulnerabilities

MediaWiki XSS via mediawiki.JqueryMsg.Js before 1.45.1 CVE-2025-67481 - February 03, 2026

XSS in MediaWiki Page.Preview.Js (pre1.43.6, 1.44.3, 1.45.1) CVE-2025-67483 - February 03, 2026

MediaWiki XML API Exec in Pre-1.39.16, 1.43.6, 1.44.3 & 1.45.1 CVE-2025-67484 - February 03, 2026

MediaWiki API Query Revisions Base RCE before 1.39.16/1.43.6/1.44.3/1.45.1 CVE-2025-67480 - February 03, 2026

MediaWiki XSS in CommentParser.Php before 1.39.16 (fixed 1.39.16) CVE-2025-67475 - February 03, 2026

MediaWiki <1.44.3/1.45.1: ImportableOldRevisionImporter.PHP RCE CVE-2025-67476 - February 03, 2026

MediaWiki XSS in ApiSandboxLayout.Js before 1.44.3/1.45.1 CVE-2025-67477 - February 03, 2026

MediaWiki <=1.39.13, 1.43.3, 1.44.0 ParserSanitizer RCE CVE-2025-67479 - February 03, 2026

MediaWiki XSS in mediawiki.Language.Js (before 1.39.15, 1.43.5, 1.44.2) CVE-2025-11261 - February 03, 2026

MediaWiki XSS in CodexTablePager.PHP before 1.44.1 (VWMK) CVE-2025-61645 - February 03, 2026

MediaWiki EnhancedChangesList.PHP RCE before 1.44.1 CVE-2025-61646 - February 03, 2026

MediaWiki XSS via WatchlistTopSectionWidget.js CVE-2025-61644 - February 02, 2026

MediaWiki XSS via Edit.Preview.Js (pre1.39.14/1.43.4/1.44.1) CVE-2025-61637 - February 02, 2026

MediaWiki/Parsoid XSS Sanitizer.Php (1.39.14,1.43.4,1.44.1; 0.16.6,0.20.4,0.21.1) CVE-2025-61638 - February 02, 2026

MediaWiki ManualLogEntry PHP info leak before 1.39.14/1.43.4/1.44.1 CVE-2025-61639 - February 02, 2026

MediaWiki XSS in Rcfilters RclToOrFromWidget.Js (pre1.39.14/1.43.4/1.44.1) CVE-2025-61640 - February 02, 2026

MediaWiki 1.44 < 1.44.1 AllPages API Vulnerability (Traversal) CVE-2025-61641 - February 02, 2026

MediaWiki XSS via CodexHTMLForm.PHP before 1.39.14/1.43.4/1.44.1 CVE-2025-61642 - February 02, 2026

MediaWiki RCFeedNotifier PHP RCE <1.39.14, 1.43.4, 1.44.1 CVE-2025-61643 - February 02, 2026

MediaWiki PageHTMLHandler PHP RCE before 1.39.14/1.43.4/1.44.1 CVE-2025-61634 - February 02, 2026

XSS in MediaWiki <1.39.14, 1.43.4, 1.44.1 via HTMLButtonField.php CVE-2025-61636 - February 02, 2026

MediaWiki 1.42+ BlockListPager.Php Vulnerability CVE-2025-6589 - February 02, 2026

MediaWiki <1.44.0 Unauthorized Info Leak via HTMLUserTextField CVE-2025-6590 - February 02, 2026

MediaWiki ApiFeedContributions.php Vulnerability pre-1.39.13/1.42.7/1.44.0 CVE-2025-6591 - February 02, 2026

MediaWiki User.Php Path Traversal 1.27.01.39.13, 1.42.71.44.0 CVE-2025-6593 - February 02, 2026

MediaWiki XSS via ApiSandbox.Js <=1.39.13,1.42.7,1.43.2,1.44.0 CVE-2025-6594 4.7 - Medium - February 02, 2026

MediaWiki AuthManager PHP RCE before 1.39.13, 1.42.7, 1.43.2, 1.44.0 CVE-2025-6597 - February 02, 2026

MediaWiki 1.42-1.44 BlockListPager.Php & ApiQueryBlocks.Php Vulnerability CVE-2025-6927 - February 02, 2026

Mediawiki DiscussionTools 1.43/1.44: EL Injection & Regex DoS CVE-2025-11175 - January 30, 2026

Missing Auth in MediaWiki CampaignEvents Ext 1.45-1.39 Priv Abuse CVE-2026-0817 5.3 - Medium - January 09, 2026

MediaWiki ApprovedRevs 1.45-1.39 - XSS via magic word escape CVE-2026-22712 - January 09, 2026

MediaWiki GrowthExperiments XSS Before 1.45 Fixed CVE-2026-22713 - January 09, 2026

Mediawiki - Monaco Skin XSS Vulnerability in v1.45,1.44,1.43,1.39 CVE-2026-22714 - January 08, 2026

MediaWiki Wikibase 1.45 XSS via Improper Input Neutralization CVE-2026-22710 - January 08, 2026

MediaWiki UploadWizard XSS in v1.391.45 CVE-2026-0671 6.1 - Medium - January 08, 2026

ProofreadPage Extension 1.39-1.45 XSS Vulnerability CVE-2026-0670 6.1 - Medium - January 07, 2026

MediaWiki CSS Ext. Path Traversal (1.44) CVE20260669 CVE-2026-0669 7.5 - High - January 07, 2026

MediaWiki VisualData Ext 1.45 ReDoS via Regex Exponential Blowup CVE-2026-0668 5.3 - Medium - January 07, 2026

MediaWiki CookieConsent Extension <= v2.0.0 XSS via Improper Input Neutralization CVE-2025-62659 - October 22, 2025

MediaWiki LanguageSelector Extension <=1.38 Code Injection via Improper Escaping CVE-2025-62697 - October 20, 2025

MediaWiki MultiBoilerplate Ext Stored XSS Pre1.39 CVE-2025-62700 - October 20, 2025

MediaWiki SecurePoll Ext XSS Stored Vulnerability (CVE-2025-11937) CVE-2025-11937 - October 18, 2025

MediaWiki CirrusSearch DoS: no throttling pre-1.43 CVE-2025-62666 - October 18, 2025

MediaWiki GrowthExperiments Ext <=1.38 XSS CVE-2025-62667 - October 18, 2025

Incorrect Default Permissions in MediaWiki GrowthExperiments Ext (pre-1.39) CVE-2025-62668 - October 18, 2025

MediaWiki CentralAuth Extension v<1.39 Sensitive Info Disclosure CVE-2025-62669 - October 18, 2025

MediaWiki FlexDiagrams Extension Stored XSS via Improper Input Neutralization CVE-2025-62670 - October 18, 2025

Stored XSS Mediawiki UploadWizard Extension <1.39 CVE-2025-62663 - October 18, 2025

MediaWiki ImageRating Ext (1.39) - Stored XSS CVE-2025-62664 CVE-2025-62664 - October 18, 2025

MediaWiki QuizGame 1.39-1.44 Improper Input Neutralization (XSS) CVE-2025-62654 - October 17, 2025

Stay on top of Security Vulnerabilities

Wikimedia Vendor

Wikimedia MediawikiProduct

MediaWiki XSS via mediawiki.JqueryMsg.Js before 1.45.1
CVE-2025-67481 - February 03, 2026

XSS in MediaWiki Page.Preview.Js (pre1.43.6, 1.44.3, 1.45.1)
CVE-2025-67483 - February 03, 2026

MediaWiki XML API Exec in Pre-1.39.16, 1.43.6, 1.44.3 & 1.45.1
CVE-2025-67484 - February 03, 2026

MediaWiki API Query Revisions Base RCE before 1.39.16/1.43.6/1.44.3/1.45.1
CVE-2025-67480 - February 03, 2026

MediaWiki XSS in CommentParser.Php before 1.39.16 (fixed 1.39.16)
CVE-2025-67475 - February 03, 2026

MediaWiki <1.44.3/1.45.1: ImportableOldRevisionImporter.PHP RCE
CVE-2025-67476 - February 03, 2026

MediaWiki XSS in ApiSandboxLayout.Js before 1.44.3/1.45.1
CVE-2025-67477 - February 03, 2026

MediaWiki <=1.39.13, 1.43.3, 1.44.0 ParserSanitizer RCE
CVE-2025-67479 - February 03, 2026

MediaWiki XSS in mediawiki.Language.Js (before 1.39.15, 1.43.5, 1.44.2)
CVE-2025-11261 - February 03, 2026

MediaWiki XSS in CodexTablePager.PHP before 1.44.1 (VWMK)
CVE-2025-61645 - February 03, 2026

MediaWiki EnhancedChangesList.PHP RCE before 1.44.1
CVE-2025-61646 - February 03, 2026

MediaWiki XSS via WatchlistTopSectionWidget.js
CVE-2025-61644 - February 02, 2026

MediaWiki XSS via Edit.Preview.Js (pre1.39.14/1.43.4/1.44.1)
CVE-2025-61637 - February 02, 2026

MediaWiki/Parsoid XSS Sanitizer.Php (1.39.14,1.43.4,1.44.1; 0.16.6,0.20.4,0.21.1)
CVE-2025-61638 - February 02, 2026

MediaWiki ManualLogEntry PHP info leak before 1.39.14/1.43.4/1.44.1
CVE-2025-61639 - February 02, 2026

MediaWiki XSS in Rcfilters RclToOrFromWidget.Js (pre1.39.14/1.43.4/1.44.1)
CVE-2025-61640 - February 02, 2026

MediaWiki 1.44 < 1.44.1 AllPages API Vulnerability (Traversal)
CVE-2025-61641 - February 02, 2026

MediaWiki XSS via CodexHTMLForm.PHP before 1.39.14/1.43.4/1.44.1
CVE-2025-61642 - February 02, 2026

MediaWiki RCFeedNotifier PHP RCE <1.39.14, 1.43.4, 1.44.1
CVE-2025-61643 - February 02, 2026

MediaWiki PageHTMLHandler PHP RCE before 1.39.14/1.43.4/1.44.1
CVE-2025-61634 - February 02, 2026

XSS in MediaWiki <1.39.14, 1.43.4, 1.44.1 via HTMLButtonField.php
CVE-2025-61636 - February 02, 2026

MediaWiki 1.42+ BlockListPager.Php Vulnerability
CVE-2025-6589 - February 02, 2026

MediaWiki <1.44.0 Unauthorized Info Leak via HTMLUserTextField
CVE-2025-6590 - February 02, 2026

MediaWiki ApiFeedContributions.php Vulnerability pre-1.39.13/1.42.7/1.44.0
CVE-2025-6591 - February 02, 2026

MediaWiki User.Php Path Traversal 1.27.01.39.13, 1.42.71.44.0
CVE-2025-6593 - February 02, 2026

MediaWiki XSS via ApiSandbox.Js <=1.39.13,1.42.7,1.43.2,1.44.0
CVE-2025-6594 4.7 - Medium - February 02, 2026

MediaWiki AuthManager PHP RCE before 1.39.13, 1.42.7, 1.43.2, 1.44.0
CVE-2025-6597 - February 02, 2026

MediaWiki 1.42-1.44 BlockListPager.Php & ApiQueryBlocks.Php Vulnerability
CVE-2025-6927 - February 02, 2026

Mediawiki DiscussionTools 1.43/1.44: EL Injection & Regex DoS
CVE-2025-11175 - January 30, 2026

Missing Auth in MediaWiki CampaignEvents Ext 1.45-1.39 Priv Abuse
CVE-2026-0817 5.3 - Medium - January 09, 2026

MediaWiki ApprovedRevs 1.45-1.39 - XSS via magic word escape
CVE-2026-22712 - January 09, 2026

MediaWiki GrowthExperiments XSS Before 1.45 Fixed
CVE-2026-22713 - January 09, 2026

Mediawiki - Monaco Skin XSS Vulnerability in v1.45,1.44,1.43,1.39
CVE-2026-22714 - January 08, 2026

MediaWiki Wikibase 1.45 XSS via Improper Input Neutralization
CVE-2026-22710 - January 08, 2026

MediaWiki UploadWizard XSS in v1.391.45
CVE-2026-0671 6.1 - Medium - January 08, 2026

ProofreadPage Extension 1.39-1.45 XSS Vulnerability
CVE-2026-0670 6.1 - Medium - January 07, 2026

MediaWiki CSS Ext. Path Traversal (1.44) CVE20260669
CVE-2026-0669 7.5 - High - January 07, 2026

MediaWiki VisualData Ext 1.45 ReDoS via Regex Exponential Blowup
CVE-2026-0668 5.3 - Medium - January 07, 2026

MediaWiki CookieConsent Extension <= v2.0.0 XSS via Improper Input Neutralization
CVE-2025-62659 - October 22, 2025

MediaWiki LanguageSelector Extension <=1.38 Code Injection via Improper Escaping
CVE-2025-62697 - October 20, 2025

MediaWiki MultiBoilerplate Ext Stored XSS Pre1.39
CVE-2025-62700 - October 20, 2025

MediaWiki SecurePoll Ext XSS Stored Vulnerability (CVE-2025-11937)
CVE-2025-11937 - October 18, 2025

MediaWiki CirrusSearch DoS: no throttling pre-1.43
CVE-2025-62666 - October 18, 2025

MediaWiki GrowthExperiments Ext <=1.38 XSS
CVE-2025-62667 - October 18, 2025

Incorrect Default Permissions in MediaWiki GrowthExperiments Ext (pre-1.39)
CVE-2025-62668 - October 18, 2025

MediaWiki CentralAuth Extension v<1.39 Sensitive Info Disclosure
CVE-2025-62669 - October 18, 2025

MediaWiki FlexDiagrams Extension Stored XSS via Improper Input Neutralization
CVE-2025-62670 - October 18, 2025

Stored XSS Mediawiki UploadWizard Extension <1.39
CVE-2025-62663 - October 18, 2025

MediaWiki ImageRating Ext (1.39) - Stored XSS CVE-2025-62664
CVE-2025-62664 - October 18, 2025

MediaWiki QuizGame 1.39-1.44 Improper Input Neutralization (XSS)
CVE-2025-62654 - October 17, 2025

Wikimedia
Vendor

Wikimedia Mediawiki
Product